IN THE SENATE OF THE UNITED STATES
July 16, 2015
Mr. Daines (for himself and Mr. Blumenthal) introduced the following bill; which was read twice and referred to the Committee on Commerce, Science, and Transportation
To require operators that provide online and similar services to educational agencies, institutions, or programs to protect the privacy and security of personally identifiable information, and for other purposes.
This Act may be cited as the
Safeguarding American Families from Exposure by Keeping Information and Data Secure Act or the
SAFE KIDS Act.
In this Act:
The term Commission means the Federal Trade Commission.
The term covered information means personally identifiable information, and information that is linked or linkable to personally identifiable information, that—
is collected or generated through a school service; and
the operator of the school service knows or should know relates to a student; or
is collected, generated, or maintained at the direction of an educational agency, institution, or program serving the student or officials of such an agency, institution, or program, including teachers.
Early childhood education program
The term early childhood education program means a program that meets the requirements of clauses (i) and (ii)(III) of section 103(8)(C) of the Higher Education Act of 1965 (20 U.S.C. 1003).
Educational agency, institution, or program
educational agency, institution, or program means—
an educational agency or institution, as defined in section 444(a)(3) of the General Education Provisions Act (20 U.S.C. 1232g(a)(3)), except that such term does not include an institution of higher education; or
an early childhood education program.
The term eligible student means a student who—
is 18 years of age or older;
is enrolled in an institution of higher education; or
has graduated from a secondary school.
Institution of higher education
institution of higher education has the meaning given such term in section 102 of the Higher Education Act of 1965 (20 U.S.C. 1002).
The term PreK-12 purposes means purposes that—
aid in the administration of activities by an educational agency, institution, or program, including instruction in the classroom or at home, administrative activities, and collaboration between students, school personnel, or parents; or
are for the use and benefit of the educational agency, institution, or program.
Online contact information
The term online contact information means, with respect to a student, an email address or any other substantially similar identifier that permits direct contact with the student online, including an instant messaging user identifier, a voice over Internet protocol identifier, a video chat user identifier, or a screen name or user name that permits such contact.
The term operator means an entity that operates a school service, except that such term does not include an educational agency, institution, or program.
Personally identifiable information
The term personally identifiable information includes, with respect to a student—
the student’s first and last name;
the first and last name of the student’s parent or another family member;
the home or physical address of the student or student’s family;
online contact information for the student;
a personal identifier, such as the student’s social security number, student number, or biometric record;
a persistent identifier that can be used to recognize a user over time and across different Internet websites, online services, online applications, or mobile applications, including a customer number held in a cookie, an Internet Protocol address, a processor or device serial number, or another unique identifier;
a photograph, video, or audio recording that contains the student’s image or voice;
geolocation information sufficient to identify the street name and name of a city or town;
other indirect identifiers, such as the student’s date of birth, place of birth, or mother’s maiden name;
other information that, alone or in combination, would allow an operator or a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify a specific student with reasonable certainty; and
information requested by a person who the educational agency, institution, or program reasonably believes knows the identity of the student to whom the information relates.
The term school service means an Internet website, online service (including a cloud computing service), online application, or mobile application that is used for PreK-12 purposes and was designed and marketed for PreK-12 purposes.
The term State means each State of the United States, the District of Columbia, each territory or possession of the United States, and each federally recognized Indian tribe.
The term student means any individual who is or has been enrolled in an early childhood education program, elementary school, or secondary school.
The term targeted advertising means presenting advertisements to a student or the student’s parent, where the advertisements are selected based on information obtained or inferred from the student’s online behavior or use of online applications or mobile applications or from covered information about the student maintained by the operator of a school service.
Such term does not include presenting advertisements to a student or the student’s parent at an online location or through an online application or mobile application, if—
the advertisements are contextually relevant;
the advertisements are selected based on a single visit or session of use during which the advertisements are presented; and
information about the student’s online behavior or use of online applications or mobile applications is not collected or retained over time.
Terms defined in Elementary and Secondary Education Act of 1965
In this Act, the terms elementary school, parent, and secondary school have the meanings given such terms in section 9101 of the Elementary and Secondary Education Act of 1965 (20 U.S.C. 7801).
Protecting student privacy
An operator may not knowingly—
engage in or permit targeted advertising on a school service;
collect, generate, use, or disclose any covered information for purposes of targeted advertising;
sell covered information to a third party;
collect, generate, or use covered information (including using covered information to create a personal profile of a student) other than for PreK-12 purposes;
disclose covered information, unless the disclosure is made—
pursuant to lawful process or to ensure legal and regulatory compliance with Federal or State law;
in accordance with subsection (e), pursuant to an affirmative express request through a student's educational agency, institution, or program for disclosure of information specified in the request—
in the case of information about a student, from the student’s parent; or
in the case of information about a student’s parent or another user of the school service, from the parent or such other user, as the case may be;
in accordance with subsection (e), pursuant to an affirmative express request through a student’s educational agency, institution, or program from a student who is or has been enrolled in a secondary school, or the parent of such student, to disclose covered information specified in the request about the student to a third party in furtherance of postsecondary education or employment opportunities, for the purpose of—
providing or authenticating the student’s transcript, standardized test scores, letters of recommendation, or other information required by an institution of higher education for an application for admission or by a potential employer for an application for employment; or
providing information relating to—
admission to an institution of higher education; or
a scholarship or financial aid for attendance at an institution of higher education; or
to protect the safety of users or others or the security of the school service; or
notwithstanding paragraph (5), disclose covered information to a third-party service provider of the school service unless the operator contractually requires the provider to comply with all the provisions of this Act (including such paragraph).
An operator shall—
establish, implement, and maintain reasonable security procedures appropriate to the nature of covered information to protect the confidentiality, security, and integrity of covered information;
delete a student’s covered information that is not included in a student’s education records (as defined in section 444(a)(4) of the General Education Provisions Act (20 U.S.C. 1232g(a)(4))) (commonly known as the
Family Educational Rights and Privacy Act of 1974) within—
a reasonable time, not to exceed 45 days, after receiving a request for deletion through an educational agency, institution, or program from the student’s parent; or
within a reasonable time, not to exceed 2 years, after—
the information is no longer being used for PreK-12 purposes; and
providing notification, through an educational agency, institution, or program, to each student's parent of the impending deletion of the student's covered information;
obtain consent from the educational agency, institution, or program, through contracts or privacy policies in a manner that is clear and easy to understand, regarding the types of covered information collected or generated (if any), the purposes for which the covered information is used or disclosed to third parties, and the identity of any such third party;
facilitate access to and correction of covered information, through an educational agency, institution, or program—
in the case of information about a student, by the student’s parent; or
in the case of information about a parent or another user of the school service, by the parent or such other user, as the case may be.
Effect on mergers and acquisitions
The prohibitions of this section on sale and disclosure of covered information do not apply to the merger of an operator with another entity or the acquisition of the operator by another entity (including any subsequent merger or acquisition), provided that the operator or successor entity continues to be subject to the provisions of this section with respect to covered information acquired before the merger or acquisition.
This section shall continue to apply, after a student is no longer enrolled in an educational agency, institution, or program, to covered information relating to the student that was collected or generated while the student was enrolled.
Requirements for certain disclosures
An operator may disclose covered information under subparagraph (B) or (C) of subsection (a)(5) only after the operator—
ensures that the third-party recipient has provided assurances that it will not further disclose covered information to subsequent third parties, use any covered information pursuant to the request for any purpose other than fulfilling the purpose for which the request was made, nor take any other action inconsistent with this Act;
ensures that the third-party recipient has provided assurances that it will establish, implement and maintain reasonable security procedures as described in subsection (b)(1); and
provides a readily available mechanism for the requesting party to revoke the request.
Rules of construction
This Act shall not—
be construed to affect or otherwise alter the protections and guarantees set forth in section 444 of the General Education Provisions Act (20 U.S.C. 1232g) (commonly known as the
Family Educational Rights and Privacy Act of 1974), the Children’s Online Privacy Protection Act of 1998 (15 U.S.C. 6501 et seq.), or any other Federal statute relating to privacy protection;
be construed to limit the authority of a law enforcement agency to obtain content or information from an operator as authorized by law or pursuant to an order of a court of competent jurisdiction;
limit the ability of an operator to use information, including covered information, for adaptive or personalized student learning purposes;
limit an educational agency, institution, or program from providing Internet access service for its own use, to other educational agencies or institutions, or to students and their families;
be construed to prohibit an operator’s use of covered information for maintaining, developing, supporting, improving, or diagnosing the operator’s school service;
impose a duty upon a provider of an electronic store, gateway, marketplace, or other means of purchasing or downloading software or applications to review or enforce compliance with this Act by operators of school services; or
impede the ability of a student or the student’s parent to download, export, create, or otherwise save or maintain data or documents created by or about the student or noncommercial applications created by the student, except to the extent any such activity would result in disclosure prohibited by this Act of covered information of other students or users of a school service.
De-Identified covered information
Nothing in this Act prohibits an operator from—
using de-identified covered information within the operator’s school service or other sites, services, or applications owned by the operator to improve educational products;
using de-identified covered information to demonstrate the effectiveness of the operator’s products or services, including in the marketing of such products or services; or
disclosing de-identified covered information for research and development, including—
research, development, and improvement of educational sites, services, and applications; and
advancements in the science of learning.
Power To Consent and Rights Regarding Information About Eligible Student
Any provision of this Act that refers to the consent of the student’s parent for the use or disclosure of covered information or the right of the student’s parent to access or otherwise obtain, use, correct, request disclosure of, or request deletion of covered information, shall, in the case of covered information about an eligible student, be considered to refer to the consent or right of the student and not the student’s parent.
No effect on consent under other law
This Act does not modify the requirements or standards for consent, including consent from minors and employees on behalf of educational institutions, under any other provision of Federal law or under State law.
Implementation and enforcement
Enforcement by Federal Trade Commission
Unfair or deceptive acts or practices
A violation of this Act or a regulation promulgated under this Act shall be treated as a violation of a regulation under section 18(a)(1)(B) of the Federal Trade Commission Act (15 U.S.C. 57a(a)(1)(B)) regarding unfair or deceptive acts or practices.
Powers of the Commission
The Commission shall enforce this Act and the regulations promulgated under this Act in the same manner, by the same means, and with the same jurisdiction, powers, and duties as though all applicable terms and provisions of the Federal Trade Commission Act (15 U.S.C. 41 et seq.) were incorporated into and made a part of this Act, and any person who violates this Act or a regulation promulgated under this Act shall be subject to the penalties entitled to the privileges and immunities provided in the Federal Trade Commission Act, except as provided in paragraph (3).
Enforcement with respect to nonprofit organizations
Notwithstanding sections 4 and 5(a)(2) of the Federal Trade Commission Act (15 U.S.C. 44; 45(a)(2)), any jurisdictional limitation of the Commission with respect to nonprofit organizations shall not apply for purposes of this Act.
Preservation of Commission authority
Nothing in this Act may be construed in any way to limit or affect the Commission’s authority under any other provision of law.
The Commission may promulgate regulations under section 553 of title 5, United States Code, to carry out this Act. Such regulations shall further define the terms targeted advertising, research, development, and improvement of educational sites, services, and applications, advancements in the science of learning, postsecondary education or employment opportunities, and adaptive or personalized student learning purposes, as used in this Act.
Consultation and cooperation with Secretary of Education
The Commission shall consult and cooperate with the Secretary of Education in implementing and enforcing this Act, including in promulgating any regulations to carry out this Act, in matters involving educational agencies or institutions.
Relationship to State law
This Act does not annul, alter, or affect, or exempt any person subject to the provisions of this Act from complying with, the laws of any State with respect to the treatment of covered information by operators of school services, except to the extent that such laws are inconsistent with any provision of this Act, and then only to the extent of the inconsistency. For purposes of this paragraph, a law of a State is not inconsistent with this Act if the protection such law affords any user of a school service is greater than the protection provided by this Act.
Rule of construction
Any reference in this Act to State law shall be considered also to refer to the law of a political subdivision of a State.
This Act shall take effect on the date that is 18 months after the date of the enactment of this Act.